This post will provide an overview of the planned proof of concepts we have been working on to try and get this right. In this series of posts I intend to provide a step by step guide for setting up each of these scenarios. Or if there is a sufficient walk through already available I will point you to that. The proof of concepts I intend to cover are:
Web Services secured with Kerberos
This proof of concept aims to show we can create web services which can be secured with a Kerberos token.
Web Services using Delegation
This proof of concept aims to show we can create a web service which can delegate the clients credentials to access backend services under the context of the client. The following diagram shows how this will look.
BizTalk Signing and Encryption with Kerberos
This proof of concept aims to show we can use the WSE Adapter to call and expose services which are secured using Kerberos. The following diagram shows how this is intended to look.
BizTalk Credential Delegation
This proof of concept aims to show we can flow credentials through BizTalk and call back end services under the context of the calling client. The following diagram shows how this is intended to look.
Proof Of Concept Summary
In the proof of concepts we need to be able to do the following set of things:
- Send a request to a WSE web service which is signed and encrypted with a KerberosToken2
- Receive a response from a WSE web service which is signed as encrypted with a KerberosToken2
- Use delegation and KerberosToken2 to pass credentials from a client to a WSE web service and then forward them to another WSE web service where the back end service will impersonate the client
- Use delegation and KerberosToken2 to pass credentials from a client to a WSE web service and then forward to a web service secured with IIS Windows Integrated Security
- Send a request to a BizTalk WSE web service which is signed and encrypted with a KerberosToken2
- Receive a response from a BizTalk WSE web service which is signed as encrypted with a KerberosToken2
- Use delegation and KerberosToken2 to pass credentials from a client to a BizTalk WSE web service and then route through BizTalk and finally forward them to another WSE web service where the back end service will impersonate the client
- Use delegation and KerberosToken2 to pass credentials from a client to a BizTalk WSE web service and then route through BizTalk and finally forward to a web service secured with IIS Windows Integrated Security
- Send a request to and get a response from a WSE Web Service using the BizTalk WSE 2 adapter to sign and encrypt a message with a KerberosToken2